System and method for detecting fraud in prepaid accounts

ABSTRACT

The invention provides systems and methods providing independent determinations of services provided to be utilized in detection of fraud. According to a preferred embodiment, a call data record server is provided in communication with a prepaid calling system such that account refill/credit information is provided to the call data record server. The call data record server is also preferably in communication with systems providing subscriber services, such as a cellular service network, such that data regarding services utilized are provided to the call data record server. Using the refill/credit data and raw subscriber service data preferred embodiments of the present invention may independently determine prepaid services utilized by subscribers. Fraud may be detected from these independent determinations of the preferred embodiment by comparing a determined account balance to a selected threshold value and/or by comparing the determined account balance to that of the prepaid calling system.

BACKGROUND

It is not uncommon today to provide services through the use of varioustypes of prepaid accounts. For example, prepaid accounts are inprevalent use in telephony systems, such as in mobile networks orwireless networks. In such systems, a prepaid calling system may beimplemented that controls a subscriber's making of calls such that thesubscriber can only make calls up to the value that they have actuallypaid into a particular account. For example, if the subscriber hasprepaid twenty dollars to a particular account, that subscriber may beenabled to make twenty dollars worth of calls using that account.

There are a variety of system configurations which may be utilized inproviding prepaid calling. For example, a service node system may beutilized in providing prepaid calling services. A service node is asystem that is installed in the network with telephony trunks attachedthereto. The network is configured such that calls or phones identifiedas being prepaid calls or phones are routed through the service node forconnection to the dialed party by the service node when the accountinformation has been verified (this type of in and out calling through aservice node is often referred to as a trombone call or connection). Theservice node may look at various call information, such as the callingparty to retrieve the appropriate account detail and the dialed numberto determine a rate for that call. The service node may then monitor theduration of the call, tracking the account balance. If the accountbalance reaches a predetermined threshold amount, such as reaching azero balance, the service node may end the call, such as bydisconnecting the parties.

Another example of a prepaid calling system may be deployed in anintelligent network (IN) system. Such a system configuration is similarto the service node discussed above, but does not utilize tromboneconnections to a service node. Instead, in an IN prepaid system thenetwork switches control the call and are able to disconnect a call ifan account balance reaches a predetermined threshold amount, such aswhen a zero balance is reached. Typically, the IN prepaid system willoperate very similar to the service node above in determining a properaccount to debit, analyzing the dialed number to determine a call rate,and setting a timer or monitoring the call to disconnect the call whenthe account reaches a particular threshold.

Although the above examples of prepaid systems may be implemented ineither traditional land-line telephone networks or wireless telephonenetworks, one prepaid system heretofore found only in wireless telephonenetworks, such as the group special mobile (GSM) environment of Europe,is a secure identification module (SIM) based prepaid system. In aSIM-based prepaid system, the subscriber account balance or purse isstored on the SIM of the wireless handset. Accordingly, the controlalgorithms of the SIM could stop the handset from making a call when thebalance on the SIM falls below a predetermined threshold, such as whenthe balance reaches zero. In operation, the SIM-based system determinesthe cost of a call that the subscriber is then attempting to setup usingsignaling from the network. The signaling used is called “advice ofcharge” and provides information to allow algorithms in the handset todetermine the cost of the call and, therefore, the time which the callmay be maintained using the current purse balance. These algorithms mayoperate to monitor the call and disconnect the call when the balancereaches a predetermined threshold.

Another prepaid system that has heretofore been implemented only inwireless telephone networks is a handset-based prepaid system. In thehandset-based prepaid system the handset has call tariff informationstored therein. Accordingly, the handset may control rating of the callsbased on the tariff structure which is stored within the handset. Thissolution does not require functionality in the network to performprepaid call accounting. Accordingly, handset-based prepaid systems maybe network independent and, therefore, may be used on multiple networksand may even be allowed to roam internationally.

For the above prepaid systems to operate effectively, they mustaccurately account for the services provided and maintain an accurateaccount balance. However, the majority of these systems operate underthe assumption that the system is working correctly and, therefore, thatfraud is not occurring. But fraud can occur in each of these systems bydifferent mechanisms. In the global market, the fraudsters identify andexploit system aspects which appear to be the weakest point in suchsystems at that point in time. Accordingly, the fraud that occurs tendsto be different year to year.

In the SIM-based prepaid system, for example, proper operation reliesupon provision of accurate advice of charge information from the networkto inform the SIM algorithms of the proper rate a call should beaccounted for costed. Accordingly, fraudsters recognized that if theycould infiltrate the loop in between the advise of charge message comingfrom the network and arriving at the SIM, the fraudsters could changethat data or otherwise corrupt the data such that the SIM algorithms,although operating properly, would not correctly account for the cost ofthe call. For example, the advice of charge information may bemanipulated or usurped to provide artificially low tariff rates, suchthat the SIM algorithms would correctly bill based on the informationthat it was provided, but that the information was incorrect for theactual call being made.

The handset-based prepaid system is not reliant on any signaling orinformation provided from the network and, accordingly, fraud on suchsystems may be accomplished using techniques different than thatdescribed above. Handset-based prepaid systems typically have tariffinformation tables and/or an account balance stored in encrypted memoryto prevent fraud by preventing unauthorized persons from deciphering andmanipulating the data. Using such encrypted data, a fraudster would notbe able to know which bit of memory contained what data and, therefore,would not know what bits need to changed to achieve a desired result.However, fraudsters discovered that, on certain hardware architectures,they could read the information being written from the microprocessor inthe handset to the encrypted memory. For example, some handsetembodiments write this data in a serial fashion which is relatively easyto monitor. Accordingly, the fraudsters could make an exact copy orsnapshot in time of the contents of the encrypted data file and replaythis data to reset the handset to its status at a previous point in time(e.g., at a point before an account balance was depleted). For example,a fraudster might refill or top up the handset account balance once and,as the memory was being written to reflect the refilled amount (e.g.,twenty dollars), a copy of that encrypted data may be made through useof special hardware coupled to the phone. Accordingly, at timesthereafter, such as when the handset is turned off and then back on, theencrypted memory may be reset with this snapshot of the refilled ortopped up handset status. In operation, the handset will operate tocorrectly tariff calls that it makes. However, the account balance willnever be fully depleted because of the fraudster's ability to reset thestatus of the phone.

Service node prepaid systems generally operate under the assumption thatfraud is avoided because the system monitors the call. For example,based on the signaling information that the service node receives, suchas the originating line identity to specify the account calling and thenumber being dialed (the B party number), a service node prepaid systemwill use its tariff tables to rate the call and will monitor theduration of the call to determine a charge for the call. However, suchsystems can be subject to fraud if, for example, a fraudster devises amechanism or a configuration in the network such that if a certain codeis dialed, the call will not be routed through the service node. In sucha situation the service node is never made aware of the call and,therefore, is not provided the opportunity to control the call.Accordingly, although the service node or the prepaid system itself maynot be aware that any calls are being made, and therefore provides noindication of fraud, calls which are not being accounted for areactually being made.

Additionally, it is also possible in a service node prepaid system for afraudster to modify an account balance on the service node by fraudulentmeans, such as through unauthorized access to the accounts by computer“hacking” techniques. Therefore, although the service node prepaidsystem may be operating properly and accurately monitoring a call, thecosts of the call may not in fact be properly paid for.

The IN prepaid system may experience fraud from techniques similar tothose discussed above with respect to the service node prepaid system.For example, in the IN prepaid system triggers and flags are generallyused to make sure that the IN prepaid system is informed about a call'sstatus and allowing the system to control the call as a prepaid call. Afraudster may change settings in the network such that the IN prepaidsystem was not aware of the call and, although the prepaid systemappears to be functioning properly, no fraud is evident. Additionally, afraudster in an IN prepaid system might gain unauthorized access to,i.e., hack, the balances associated with accounts in order to causeparticular accounts to reflect larger balances than have actually beenpaid for, therefore allowing fraud to occur.

Therefore, there is a need in the art for systems and methods fordetecting fraud in prepaid accounts.

There is a further need in the art for fraud detection to be providedindependently of the prepaid system in order to detect fraud occurringon an otherwise properly operating prepaid system.

SUMMARY OF THE INVENTION

The present invention is directed to a system and method which isindependent of, or makes determinations independent from, a primaryprepay system and which preferably uses raw data produced by the networkand/or from the prepay system to determine if fraud is occurring. Forexample, a system of the present invention may receive raw call data,such as the originator of the call, the destination of the call, theduration of the call, and/or the date and time of the call, and analyzethat data by various means to detect, or assist in detecting, if fraudis occurring. Preferred embodiments of the present invention separatelytrack both funds that have been authorized against a prepaid account andthose that have been confirmed as entered into that prepaid account,such as in SIM-based or handset-based prepaid implementations.

Fraud may be detected through comparing the results of the analysis ofthe present invention to other data, such as call accounting from theassociated prepaid system. For example, fraud may be detected if thevalue or costs of calls as monitored by the prepaid system do notsubstantially correspond to independent determinations made according tothe present invention. Additionally or alternatively, fraud may bedetected if the value of refills purchased does not substantially meetor exceed the value or costs of calls as determined according to thepresent invention.

Benefits of fraud detection are increased when any latency between thefraud and its detection is reduced. Accordingly, preferred embodimentsof the present invention call data, such as the aforementioned calldetail records and/or prepaid system refill records, is received andanalyzed according to the present invention as it is generated toprovide real time or near real time fraud determinations. Therefore,preferred embodiments of the present invention ensure that the latencybetween fraud actually occurring and being detected by the system isminimized.

A preferred embodiment of the present invention utilizes a systemproviding call detail record information analysis in communication withthe network and in communication with the prepaid system for which frauddetection is provided. Preferably, the call detail record informationanalysis or other fraud detection analysis of the present invention isconducted on a separate system, such as a call data record (CDR) serverof the preferred embodiment, in order to efficiently process a verylarge volume of fraud detection data without impacting performance ofother systems, such as the associated prepaid system, as well as toprovide additional confidence associated with a fully independent frauddetermination. Alternatively, call detail record information analysis orother fraud detection analysis may be implemented in an available hostsystem, such as a system of the prepaid system, such as where a largevolume of calls is not expected or where impact on other systemprocesses is not a concern.

In operation, the present invention is preferably adapted to allow aprepaid operator to independently track the balances of prepaidaccounts. Accordingly, the present invention is particularly beneficialwhen used with systems, such as the SIM-based prepaid system and thehandset-based prepaid system, wherein account information is maintainedin equipment in the possession of the subscriber.

Moreover, preferred embodiments of the present invention allow a prepaidservice provider, such as in a wireless system, to independentlydetermine the total value of services, such as air time, used by theirsubscribers. Accordingly, a prepaid service provider may determine whatinfrastructure providers, such as a cellular network operator, should beinvoicing the prepaid service provider for use of the system bysubscribers.

The present invention may be further utilized to provide additionalservices to subscribers. For example, the independent account analysisprovided by the present invention may be utilized to provide refunds tosubscribers, such as at termination of service or if a handsetcontaining an account balance fails and the contents of the purse arelost.

Preferred embodiments of the present invention operate to take action toprevent further fraud from occurring when fraud is detected. Forexample, where prepaid account information as determined according tothe present invention varies from that of an associated prepaid systemby a predetermined threshold amount, the present invention may operateto instruct the prepaid system and/or the network to no longer acceptcalls associated with that account. Preferably the aforementionedpredetermined threshold amount is utilized to accommodate slightvariations in the determined results resulting from using raw dataprovided from different sources and/or to accommodate slight variationsin the determined results from utilizing different techniques to achievethe results compared. This threshold value may be enlarged or reduced(even zeroed) or negatived depending upon the particular environments inwhich the invention is deployed, the actual data used, the particularprepaid system for which fraud detection is provided, and/or the levelof fraud detection/prevention desired. Moreover, the threshold value maybe adjusted based upon the particular subscriber, type or category ofsubscriber, type or category of subscriber equipment, and the like.

The foregoing has outlined rather broadly the features and technicaladvantages of the present invention in order that the detaileddescription of the invention that follows may be better understood.Additional features and advantages of the invention will be describedhereinafter which form the subject of the claims of the invention. Itshould be appreciated by those skilled in the art that the conceptionand specific embodiment disclosed may be readily utilized as a basis formodifying or designing other structures for carrying out the samepurposes of the present invention. It should also be realized by thoseskilled in the art that such equivalent constructions do not depart fromthe spirit and scope of the invention as set forth in the appendedclaims. The novel features which are believed to be characteristic ofthe invention, both as to its organization and method of operation,together with further objects and advantages will be better understoodfrom the following description when considered in connection with theaccompanying figures. It is to be expressly understood, however, thateach of the figures is provided for the purpose of illustration anddescription only and is not intended as a definition of the limits ofthe present invention.

BRIEF DESCRIPTION OF THE DRAWING

For a more complete understanding of the present invention, reference isnow made to the following descriptions taken in conjunction with theaccompanying drawing, in which:

FIG. 1 shows a high level block diagram of a service network adapted toinclude a preferred embodiment fraud detection system of the presentintention;

FIG. 2 shows further detail with respect to the system of FIG. 1; and

FIG. 3 shows a flow diagram of operation according to a preferredembodiment of the present invention.

DETAILED DESCRIPTION

Directing attention to FIG. 1, a high level block diagram of a systemadapted to provide fraud detection according to a preferred embodimentof the present invention is shown. The embodiment of the inventionillustrated in FIG. 1 includes preferred embodiment call data record(CDR) server 100. Preferably CDR server 100 includes an interfaceadapted to accept information with respect to calls of interest from anexternal source having such information available thereto.

For example, call data information interface 110 of CDR server 100 maybe adapted to interface with one or a plurality of service networksystems, such as switches, central office systems, mobile switchingcenter systems, network billing systems, and/or the like. Such servicenetwork systems are illustrated as call data system 120, which might bea network billing system for example, having home location registers(HLR) database 121 coupled thereto to provide raw call data. Alsoillustrated in FIG. 1 are network devices 122 and 123, such as may becall switching systems, coupled to call data system 120 to provide rawcall data thereto.

Call data system 120 may operate to provide processing of raw call datareceived from the service network before passing the call data to CDRserver 100. For example, where call data system 120 is a network billingsystem, call data system 120 may provide processing of raw call data inorder to determine billing information usable by the service network.This processed data may be utilized by CDR server 100 provided suchprocessed data still includes that information useful for frauddeterminations according to the present invention, as will be discussedin further detail below.

Processing of raw call data by call data system 120 is not requiredaccording to the present invention. Preferred embodiments of the presentinvention utilize call data in the form it is generated by the servicenetwork systems in order to avoid latencies associated with itsprocessing by other systems and/or to provide accurate information whichis uncolored by any data processing. However, because many servicenetwork systems, such as public switched telephone networks and/orcellular telephone networks, include network billing systems,embodiments of the present invention may utilize information from suchsystems as a reliable call data information source providing data in apredictable format and having consistent content.

As shown in FIG. 1, preferred embodiment CDR server 100 may have varioussystems and/or subcomponents coupled thereto, such as through prepaidsystem interface 101 and/or other interfaces (not shown). Referring nowto FIG. 2, further detail with respect to systems and subcomponentscoupled to CDR server 100 may be seen. For example, CDR server 100preferably includes a database of call rate or tariff information, suchas may be stored in database 211, associated therewith. Preferably,database 211 includes detailed call rate data, such as a rate matrixidentifying various rates and their applicability, times particularrates are effective, particular calls, subscribers, and/or subscriberequipment associated with particular rates.

Additionally, CDR server 100 preferably includes a database ofinformation derived from call detail record information received fromthe service network systems according to the present invention, such assubscriber balances and/or report data, as may be stored in database212. This information may be utilized in providing various reports 214,such as reports indicating those accounts for which fraud is suspected,usage statistics, network utilization statistics, and the like.

CDR server 100 may additionally or alternatively store the information,or some portion thereof, used in deriving information according to thepresent invention. For example, database 212 may store call detailrecord information received from the service network systems utilized indetermining subscriber balances and/or other report data. CDR server 100may also be adapted to archive information, whether rate information,call detail record information, information derived from the call detailrecord information, or like information, such as through use of archivesystem 213.

Various systems and subsystems in addition to those discussed above arealso shown coupled to the preferred embodiment CDR server illustrated inFIG. 2. These systems and subsystems may be a part of a prepaid callingsystem, such as prepaid calling system 250. For example, prepaid callingsystem 250 may include debit authorization servers (DAS), such as DAS131–132 having databases 231–232 associated therewith, useful inauthorizing subscriber's calls before, during, or after such calls areplaced by a particular subscriber. A preferred embodiment DAS alsoprovides for secured communication of information, such as the securecreation of encrypted information (e.g., tariffs, credit updates, etc.)which can be sent over the network to subscriber units. Prepaid callingsystem 250 may further include customer support systems (CSS), such asCSS 111–112 having databases 211–212 associated therewith, useful inmaintaining subscriber information, such as identification ofsubscribers, identification of subscriber equipment, information withrespect to subscriber's accounts, and/or the like.

Additionally, prepaid calling system 250 may include various systems orsubsystems useful for the input and output of information. For example,prepaid calling system 250 may include one or more agent terminals, suchas customer care workstations 141–146, useful in providing humaninteraction with subscribers and/or their associated data on prepaidcalling system 250. Additionally or alternatively, prepaid callingsystem 250 may include a service network system interface, such asinteractive voice response (IVR) system 150, useful in providingcommunication between prepaid calling system 250 and subscribers using aservice network coupled thereto and/or the various systems of theservice network coupled thereto.

For example, service network 200, such as may include a cellularcommunication network, the public switched telephone network (PSTN), theInternet, or other communication networks and/or combinations thereof,may be coupled to prepaid calling system 250 through IVR system 150.Accordingly, one or more subscribers, such as may utilize subscriberunits such as wireless or cellular phone 201, telephone 202, wirelesspersonal digital assistant (PDA) 203, and multimedia computer 204, maybe provided access to systems or information of prepaid calling system250. Similarly, information may be communicated between prepaid callingsystem 250 and systems of service network 200, such as billing system220. Of course, interfaces, such as data network interfaces (not shown),may be utilized in providing communication between prepaid callingsystem 250 and service network 200, or the systems external thereto, ifdesired.

Preferably, CDR server 100 is in information communication with prepaidcalling system 250 to thereby facilitate CDR server 100's ability todetect fraud and/or analyze other subscriber information according tothe present invention. For example, IVR system 150, or other subsystemof prepaid calling system 250 such as CSS servers 111–112 or DAS servers131–132, may provide subscriber account information to CDR server 100for use in fraud detection. Most preferably, DAS servers 131–132 provideCDR server 100 with information with respect to subscriber accountrefill or “top up.” Accordingly, CDR server 100 may to determine thevalue of a particular subscriber's calls, preferably using theaforementioned raw call detail record information provided by servicenetwork 200 and call rate or tariff information stored in database 211,and compare a total of this independently determined subscriber callvalue data with the subscriber's refill or top up history to determineif sufficient funds have actually been provided to support the actualcalls being made. Accordingly, it should be appreciated that the presentinvention may be utilized to detect fraud with respect to any of theprepaid systems described above as well as other system configurationsnot specifically described herein.

Operation according to a preferred embodiment of the present inventionis illustrated in the flow diagram of FIG. 3. In the illustratedembodiment, a cell phone service subscriber, such as a subscriberutilizing cellular phone 201, may establish a prepaid account with aservice provider associated with prepaid calling system 250 (step 301)by dialing a particular phone number associated with IVR system 150 tothereby connect with prepaid calling system 250 through service network200. IVR system 150 may initiate a dialogue with the subscriber tosolicit subscriber information, such as subscriber identification,subscriber unit identification, payment information, and the like.Accordingly, through interaction of the subscriber with IVR system 150 aprepaid account may be activated with an initial deposit of funds storedin prepaid calling system 250. For example, $50.00 may be charged to thesubscriber's credit card account and credited to a prepaid callingsystem purse associated with the subscriber in database 211 of CSSserver 111.

Preferably, prepaid calling system 250 communicates subscriberinformation to a fraud detection system of the present invention (step302). For example, IVR system 150, CSS server 111 or 112, DAS server 131or 132, or other system of prepaid calling system 250, may communicatewith CDR server 100 to provide information that this particularsubscriber has credited $50.00 to an associated prepaid account, whichinformation may be stored in database 212 associated with CDR server100. Accordingly, CDR server 100 receives information with respect toreplenishments that have occurred. The information provided to CDRserver 100 may include additional information useful in detecting fraudor otherwise analyzing operation of the prepaid calling system, such asthe current total credit balance associated with the subscriber storedby prepaid calling system 250, if desired.

In the above example, because the subscriber is a newly establishedaccount, prepaid calling system 250 may provide ancillary information inthis initial communication sufficient for CDR server 100 to properlyestablish fraud detection with respect to the subscriber's accountaccording to the present invention. For example, subscriber unitinformation, such as the phone number, electronic serial number, mobileidentification number, and/or like information, may be provided tofacilitate CDR server 100's ability to associate raw call detail recordinformation provided by service network 100 associated with thesubscriber's calls with the proper prepaid account information.

Ancillary information, perhaps a subset of that used in initializing asubscriber's account, may also be utilized in subsequent communicationsto facilitate operation according to the present invention. For example,prepaid calling system 250 may provide unique subscriber accountinformation to aid CDR server 100 and prepaid calling system 250'sinteraction with respect to this particular subscriber. Accordingly,subsequent information communicated there between may include thisunique information in order to easily allow any accompanyinginformation, such as refill amounts, prepaid purse balances, call rateupdate information, and the like, to be associated with the correctsubscriber records.

Because the subscriber in this example is a newly establishedsubscriber, the information with respect to this subscriber is expectedto remain substantially unaltered as stored by CDR server 100. However,it may be desirable in particular situations for CDR server 100 tomanipulate the data. For example, where information is provided for anestablished subscriber, CDR server 100 may manipulate this data priorto, or after, storage. For example, CDR server 100 may sum a remainingprepaid balance associated with the subscriber with the amount of therefill prepaid amount provided by the prepaid calling service. Thisapproach is preferred in order to allow CDR server 100 to maintain anindependent accounting of subscriber balances and, thereby, detect fraudwhere the subscriber's total balance stored by prepaid server 250 isaltered without a proper refill transaction having been performed.

Once the subscriber has established an account with prepaid system 250,the subscriber may utilize the prepaid services (step 303), i.e., inthis example the subscriber may make calls utilizing service network200. As the subscriber makes calls according to this exemplaryembodiment, service network 200 will create call detail records for eachand every call that is made in the network.

It should be appreciated that, although the same service network isdiscussed with respect to a subscriber contacting prepaid call system250 for account management functions and with respect to actuallyproviding the subscriber services, there is no such limitation accordingto the present invention. For example, a subscriber might performmanagement functions, such as the aforementioned account initializationand/or refill operations through a first network, such as the Internet,while subscriber services, such as prepaid calls, are provided through asecond network, such as the PSTN.

Prepaid system 250 accounts for the services provided to the subscriberand debits the subscriber's prepaid account balance accordingly (step304). For example, prepaid calling system 250 may be a service nodesystem, as described above, where calls or phones identified as beingprepaid calls or phones are routed through the prepaid calling systemfor connection to the dialed party by the service node when the accountinformation has been verified and thereafter credit balance debiting maybe performed. Alternatively, prepaid system 250 may employ anothertopology, such as the above described IN system, handset-based prepaidconfiguration, etcetera.

Systems of the service network create call information, such as calldetail records, reflecting the subscribers use of the service network(step 305). This subscriber call information preferably includes suchinformation as the start time of the call, the end time of the call, Aparty (or calling party) information, and B party (or called party)information. Additionally, the subscriber call information may includefurther detail with respect to the subscriber's use of the servicenetwork, such as identification of particular resources used, enhancedservices provided, quality of service provided indicators, and the like.For example, different network elements of service network 200 mayprovide information with respect to a particular call having been madeby a particular phone to a particular number and lasted this duration.This information may be collected centrally within service network 200,such as at billing system 220 or at a service control point (not shown).

CDR server 100 acquires subscriber call information and independentlydetermines the value of services provided to the subscriber (step 306).For example, raw subscriber call information is preferably passed fromsystems of service network 200 to CDR server 100. In operation, CDRserver 100 preferably utilizes the subscriber call information toindependently determine the value of services provided, such as byutilizing rate information stored in database 211, and/or to makerelevant adjustments to the account balance corresponding to thatsubscriber that is stored within the CDR server, such as in database212.

According to one embodiment of the present invention, subscriber callinformation may be provided by the various systems of service network200, such as the switches utilized in establishing a subscriber's call,HLR 121, and/or other network systems, to a centralized data collectionpoint, such as billing system 220 used in billing service providersand/or subscribers for the services provided. This information may beprocessed from its most raw form, such as to determine call durationsfrom call start and end times and/or to calculate the cost of the call.The information gathered by such a centralized data collection point ispreferably provided to CDR server 100 continuously, such as throughout acall as the data elements are generated, or periodically, such as at thecompletion of each call, at the end of each hour or day, or at the endof a standard billing cycle. Preferred embodiments acquire theinformation as quickly as possible after the completion of a call toavoid or minimize latency in making fraud determinations according tothe present invention.

Although the subscriber call data may be processed to some extent bysuch a centralized data collection point, the data provided to CDRserver 100 preferably includes substantially raw data for use inindependent service value determinations by CDR server 100. For example,a typical report data stream provided by billing system 220 may includethe calculated cost of the call accompanied by the raw data, or someportion thereof, used in determining this cost.

It should be appreciated that the volume of data may be quitesubstantial. For example, in a cellular prepaid system a typical mobilephone may make two to three calls a day. In a system providing serviceto a large number of subscribers, such as on the order of four or fivemillion subscribers, there is a large amount of data associated with thesubscriber activity. A reasonable time to store such data may be thelifetime of a given handset proposition, i.e., the business rule thatsays how often the phone needs to be refilled in order not be determinedto be inactive on the system. Some such handset propositions are oneyear, thereby suggesting that data utilized according to the presentinvention should be stored one year. If the present invention were tostore all data associated with a particular subscriber's call, and wereto store it a reasonable amount of time, it is easy to see that a verylarge amount of data storage and handling capacity would be required.

Accordingly, preferred embodiments of the present invention perform“data culling” such that received subscriber call information, such asin a predetermined format, not helpful in operation according to thepresent invention, such as calculated costs of the call, is ignored ordiscarded and some portion of the most raw data, i.e., the data havingbeen processed or altered the least after its generation by a datasource, such as the originator of the call, the destination of the call,the duration of the call, and the date and time that the call is made,is used and/or stored in operation according to the present invention.Accordingly, preferred embodiment CDR server 100 system capacity may beoptimized. In addition to the above discussed system capacity advantagesassociated with the preferred embodiment data culling, the most raw dataavailable is preferably utilized by CDR server 100 in its determinationsto thereby avoid any error or fraud associated with data processing bysystems external thereto. However, alternative embodiments of CDR server100 of the present invention may utilize any level of processed dataconsistent with the level of confidence desired with respect toindependent determinations made.

Centralized data collection point systems, such as billing system 220,often process information on a batch basis and provide it on a periodicbasis, e.g., once a day, and therefore may result in increased latencyin fraud detection associated with their use. Moreover, such systems maypresent other issues with respect to particular implementations of thepresent invention. For example, service network billing systems utilizedin a handset-based prepaid system are typically not aware of the exactdate and time that a tariff changes on a handset and, therefore, theservice value calculation that such systems makes is at best anapproximation of the prepaid value of the service. Accordingly, theprocessing of subscriber call information by such systems is often oflittle or no value to the operation of the present invention.

However, it should be appreciated that the use of a centralized datacollection point, such as the aforementioned service network billingsystem, may be desired according to particular embodiments of thepresent invention. For example, service networks might already have aservice network billing system deployed therein to calculate the cost ofcalls, such as to determine the revenue that should be paid to orcollected from service providers by the network operator. Similarly,prepaid system infrastructure may include such billing systems toprovide a very broad brush network view of services used by theirsubscriber base, such as the what types of numbers are being dialed(e.g., are the subscribers primarily dialing international numbers, longdistance numbers, or local numbers), how many minutes of usage are thesubscribers averaging and at what times of day, etcetera. Accordingly, aservice network billing system may provide a readily available sourcefor acquiring subscriber call information for use according to thepresent invention.

However, it should be appreciated that the present invention does notrequire such a billing system and, therefore, embodiments of the presentinvention collect information from the service network without employingsuch a billing system. For example, preferred embodiments of the presentinvention are provided subscriber call information from service networksystems such as a HLR database or mobile switching center (MSC) of theservice network. Such embodiments may be preferred because, if CDRserver 100 is able to acquire the raw data prior to the billing systemrather than after the billing system, such an implementation is expectedto result in the latency of acquiring the data being reduced. The morequickly CDR server 100 can acquire the call data, the more quickly frauddeterminations may be made and, therefore, fraud can be stopped orprevented.

Having independently determined the value of services from subscribercall information available from the service network, the presentinvention preferably operates to make determinations, e.g., frauddeterminations, with respect to the relevant subscriber's account (step307). For example, on an account-by-account basis, the CDR server of thepreferred embodiment will have information with respect to all refill orcredit operations for a subscriber account and may take the time anddate that such refills or credits have occurred with the subscriber callinformation to determine how much money has gone into that account. At amost basic level, a comparison of money that has gone into an accountand the money that has been spent by that account may be made and if themoney spent by the account is the larger amount a determination of fraudmay be made.

Preferably, fraud detection determinations are made by CDR server bycomparing an adjusted account balance (the adjusted account balancebeing determined from account refill/credit information provided to theCDR server, as described above, having the value of services provideddetermined by CDR server 100, as described above, dedicated therefrom)to a given threshold. A threshold comparison is utilized according to apreferred embodiment to accommodate some hysteresis in the system, e.g.,it is possible that the duration of call indicated by the network isslightly different by one or two seconds or more compared to what theprepaid system that has costed that call believes is the case. However,the basic premises of the preferred embodiment is that an account shouldnot be enabled to spend more than a given threshold more or less thanwhat has gone into that account. For example, a given level ofnegativity may be allowed before a determination of fraud is made toallow for differences in the techniques and/or accuracy of service valuecalculations between CDR server 100 and prepaid calling system 250.Accordingly, the aforementioned threshold may be a negative value, suchas −$10.00. Alternatively, the threshold value may be a positive value,such as $5.00, to ensure that services provided are always prepaid.

It should be appreciated that the above threshold value may be selectedbased upon a desired system operation and, therefore, may be a variablewhich is set by a system operator. Moreover, different threshold valuesmay be utilized in a single system, such as to provide differentthreshold values for particular subscribers, particular categories ofsubscribers, particular categories of subscriber equipment, particularcategories of services, and the like. For example, particular types ofsubscriber equipment that have historically experienced disproportionateamounts of fraud may have a higher threshold level associated therewith.Similarly, subscriber accounts using subscriber services which havehistorically experienced disproportionate amounts of fraud may have ahigher threshold level associated therewith.

Additionally or alternatively fraud detection determinations may be madethrough comparison of independently determined service values and/orsubscriber account balances. For example, information provided to CDRserver 100 by prepaid calling system 250 may include information such asthe current total credit balance associated with the subscriber storedby prepaid calling system 250, if desired. Accordingly, CDR server 100may compare its independently determined current balance, determinedfrom deducting values of calls as indicated by call detail recordsprovided by network 200 from the subscriber's refill balance totalindicated by refill information provided at each refill operation byprepaid calling system 250, to the current prepaid balance stored byprepaid calling system 250. Irrespective of comparison to a thresholdamount to determine instances of fraud as discussed above, if asufficient discrepancy or variance between an adjusted account balanceof CDR server 100 and an account balance as available to prepaid callingsystem 250 is determined to exist, a determination that fraud isoccurring may be made. Here, as with the above described frauddetermination, a threshold value, which may be varied from system tosystem, subscriber to subscriber, etcetera, is preferably utilized toaccommodate differences in the techniques and/or accuracy of servicevalue calculations between CDR server 100 and prepaid calling system250.

As discussed above, the preferred embodiment CDR server will determinewhat it believes the account balance should be for each and everyaccount for which it receives call detail records. If the CDR serverdoes not receive call detail records with respect to a particularaccount then it may assume that the account is not being used. However,if an account has never been activated for a particular subscriber orsubscriber unit for which calling services are provided within thenetwork, call data would be produced by the network elements for suchcalls and provided to the CDR server of the present invention.Preferably, the CDR server would very quickly show a negative value forthis account which had no refill history and, accordingly, would detectfraud and react accordingly.

If the account status is found to be acceptable at step 307, thepreferred embodiment operates to allow the subscriber to acquire furtherservices (e.g., returning to step 302 to allow updating of subscriberaccount information associated with refill operations and utilization ofservices). However, if undesired account status is detected at step 307,the preferred embodiment operates to take appropriate action tomitigate/prevent further undesired account status operation (step 308).Such action may include generation and transmission of a report or alarmto a system operator in order that a decision may be made with respectto taking action to bar the particular subscriber from acquiring furtherservices until the appropriate account status is rectified.Alternatively, the present invention may operate to automatically barthe offending subscriber by communicating to the appropriate servicenetwork systems, such as communicating through the service network'sprovisioning system to HLR 121 and setting the proper registers toactually bar the subscriber.

It should be appreciated that a combination of actions may be taken withrespect to particular subscriber's account status. For example, a firstthreshold value may be established which when data comparisons, asdiscussed above, indicate the threshold has been crossed a report oralarm to the system operator may be implemented to instigate furtheranalysis or further monitoring of a particular account. However, asecond threshold value may be established which when data comparisonsindicate the threshold has been crossed the subscriber is automaticallybarred from further service acquisition. Accordingly, a hierarchy ofremedial action may be implemented according to the present invention.

Preferably, as discussed above, a CDR server operating according to thepresent invention determines and/or maintains an adjusted accountbalance or a shadow prepaid balance. However, because of the nature ofthe service network, such as typical telephone systems that includegrounding errors, differences in timing, etcetera, the subscriber'spurse as stored by prepaid system 250 and the adjusted account balanceas determined by CDR server 100 may naturally differ slightly and suchdifferences may continue to grow as these errors and differencesaggregate. Accordingly, preferred embodiments of the present inventioninclude a mechanism for synchronizing the accounts over time, such asusing a set of synchronization rules, so that the system can operate inperpetuity without a slowly increasing inaccuracy causing a malfunctionor failure.

For example, the CDR server adjusted account balance may be periodicallyset to that of the prepaid calling service after a comparison to verifythat the two balances are within a predetermined threshold amount. Thisthreshold amount may be established based upon an amount at which it maybe assumed that no fraud has occurred or that only negligible fraudmight have been experienced, and may be the same as one or more of thethreshold values described above.

Additionally or alternatively, synchronization may be accomplished basedupon criteria other than the correspondence of the adjusted accountbalance of the CDR server and the account balance of the prepaid callingsystem. For example, after a determination that no, or negligible, fraudis present based upon the adjusted account balance not being within aparticular threshold value as described above, the account balances maybe synchronized.

It should be appreciated that operation of preferred embodiments of thepresent invention provides flexibility to accommodate changing oftariffs on a per subscriber basis. For example, when a tariff is to beimplemented for a particular subscriber or for a class of subscribers,tariff change information, e.g., rate update information, may beprovided to the CDR server of the present invention, possibly withinformation as to when the change is to be implemented. Accordingly, theCDR server is able to implement the new rates for each subscriber as therates take effect. In a preferred embodiment, tariff information isprovided to the CDR server accompanying the transmission ofrefill/credit information for that subscriber account. This technique isclearly effective with systems which implement rate changes with arefill operation. However, this technique is also effective with systemswhich implement rate changes at a particular time or day because therate update data can include an effective time or day and the raw calldata provided to the CDR server is expected to include correspondingtime information.

The rate data utilized by the CDR server of the preferred embodiment isnot limited to information typically thought of as call rating data. Forexample, the rate data may include a list of special billed numbers,such as designated numbers for which the subscriber receives free orreduced rate calling. Accordingly, the present invention providesflexibility to accommodate specific exception numbers or special billednumbers with respect to a particular handset.

Although the present invention and its advantages have been described indetail, it should be understood that various changes, substitutions andalterations can be made herein without departing from the spirit andscope of the invention as defined by the appended claims. Moreover, thescope of the present application is not intended to be limited to theparticular embodiments of the process, machine, manufacture, compositionof matter, means, methods and steps described in the specification. Asone of ordinary skill in the art will readily appreciate from thedisclosure of the present invention, processes, machines, manufacture,compositions of matter, means, methods, or steps, presently existing orlater to be developed that perform substantially the same function orachieve substantially the same result as the corresponding embodimentsdescribed herein may be utilized according to the present invention.Accordingly, the appended claims are intended to include within theirscope such processes, machines, manufacture, compositions of matter,means, methods, or steps.

1. A system for detecting fraud in a prepaid system, said frauddetecting system comprising: an interface to said prepaid system,wherein said prepaid system accounts for subscriber account credits andsubscriber account debits to thereby determine a subscriber prepaidbalance for use in operating said prepaid system, wherein said prepaidsystem interface accepts prepaid account credit information from saidprepaid system; an interface to a service system, wherein said servicesystem interface accepts information with respect to services provided;and control logic utilizing said prepaid account credit informationaccepted through said prepaid system interface and said information withrespect to services provided accepted through said service systeminterface to thereby determine a fraud detection subscriber accountbalance, wherein said control logic utilizes said fraud detectionsubscriber account balance to determine a fraud condition in anassociated subscriber account independent of said determination of saidsubscriber prepaid balance by said prepaid system.
 2. The system ofclaim 1, wherein said prepaid system comprises a prepaid calling system.3. The system of claim 2, wherein subscriber units utilizing saidprepaid calling system store a secure prepaid credit value on asubscriber unit.
 4. The system of claim 2, wherein said prepaid callingsystem stores secure prepaid credit values for a plurality ofsubscribers in a centralized memory.
 5. The system of claim 1, whereinsaid prepaid account credit information accepted by said prepaid systeminterface is information with respect to refill of a correspondingsubscriber account.
 6. The system of claim 5, wherein said refillinformation includes a refill amount and time information with respectto said refill amount.
 7. The system of claim 1, wherein said servicesystem comprises a wireless communication system.
 8. The system of claim1, wherein said information with respect to services provided includessubstantially unprocessed service data associated with a particularsubscriber service transaction.
 9. The system of claim 8, furthercomprising: service rating information stored in communication with saidcontrol logic, wherein said substantially unprocessed service dataincludes information provided by components of said service networksufficient for allowing a determination of service value using saidservice rating information.
 10. The system of claim 9, wherein saidservice rating information is provided to said fraud detecting system bysaid prepaid system.
 11. The system of claim 9, wherein said servicerating information includes information with respect to a time at whichparticular rating information is to be effective.
 12. The system ofclaim 9, wherein said substantially unprocessed service data includesinformation with respect to a calling party, information with respect toa called party, and information with respect to a length of a call. 13.The system of claim 12, wherein said information with respect to alength of a call includes information with respect to a time of saidcall.
 14. The system of claim 12, wherein said substantially unprocessedservice data is accompanied by substantially processed data, whereinsaid substantially processed data is culled by said fraud detectingsystem.
 15. The system of claim 14, wherein said substantially processeddata includes a determination of service value by a system external tosaid fraud detecting system.
 16. The system of claim 15, wherein saidsystem external to said fraud detecting system is a billing system ofsaid service system.
 17. The system of claim 1, wherein said fraudcondition determination is made at least in part through comparison ofsaid fraud detection subscriber account balance to a predeterminedthreshold value.
 18. The system of claim 17, wherein said thresholdvalue is selected to accommodate an acceptable amount of difference in asubscriber account balance as determined by said prepaid system and saidfraud detecting system.
 19. The system of claim 18, wherein saidthreshold value is a negative value.
 20. The system of claim 1, whereinsaid fraud condition determination includes a hierarchy of frauddeterminations.
 21. The system of claim 20, wherein said hierarchy offraud determinations includes a first fraud condition determinationhaving a first response associated therewith and a second fraudcondition determination having a second response associated therewith.22. The system of claim 21, wherein said first fraud conditiondetermination is made at least in part through comparison of said frauddetection subscriber account balance to a first predetermined thresholdvalue, and wherein said second fraud condition determination is made atleast in part through comparison of said fraud detection subscriberaccount balance to a second predetermined threshold value, wherein saidfirst predetermined threshold value is greater than said secondpredetermined threshold value.
 23. The system of claim 21, wherein saidfirst fraud condition is associated with a suspicion of fraud and saidsecond fraud condition is associated with a conclusion of fraud.
 24. Thesystem of claim 21, wherein said first response includes a notificationtransmitted to said prepaid system by said fraud detecting system, andwherein said second response includes information with respect tosubscriber activity suspension transmitted to said service system. 25.The system of claim 1, wherein, when said determination of said fraudcondition by said control logic indicates an unacceptable level offraud, information with respect to subscriber activity suspension istransmitted to said service system to thereby prevent further use ofsaid service system by an associated subscriber.
 26. The system of claim1, wherein said control logic further utilizes said information withrespect to services provided accepted through said service systeminterface to determine charges with respect to said service systemassociated with use of said prepaid system.
 27. A method for detectingfraudulent use of a service network associated with a prepaid system,said method comprising: interfacing a fraud detection system to saidprepaid system, wherein said prepaid system accounts for subscriberaccount credits and subscriber account debits to thereby determine asubscriber prepaid balance for use of said service network; interfacingsaid fraud detection system to said service network, wherein saidservice network provides communication of subscriber information andgenerates transaction information associated with communication of saidsubscriber information; accepting prepaid account credit informationfrom said prepaid system at said fraud detection system; acceptingtransaction information from said service network at said frauddetection system; determining a service value using said acceptedtransaction information; and determining a fraud condition in anassociated subscriber account as a function of said accepted prepaidaccount credit information and said service value determined.
 28. Themethod of claim 27, wherein said accepted prepaid account informationcomprises information with respect to subscriber account value refill byan associated subscriber.
 29. The method of claim 28, wherein saidaccepted prepaid account information further comprises information withrespect to a time of said subscriber account value refill.
 30. Themethod of claim 28, wherein said accepted prepaid account informationfurther comprises service rating information.
 31. The method of claim27, wherein said prepaid system is a prepaid calling system, and whereinsaid method further comprises: said prepaid calling system interactingwith subscribers to determine a subscriber account credit.
 32. Themethod of claim 31, wherein said prepaid account credit informationaccepting step is performed in close temporal proximity to saidinteraction between said subscriber and said prepaid calling system. 33.The method of claim 32, wherein said close temporal proximity issubstantially immediately after completion of said interaction betweensaid subscriber and said prepaid calling system.
 34. The method of claim27, wherein said service network comprises a voice communicationnetwork, and wherein said method further comprises: at least one networkelement of said service network generating data of said transactioninformation.
 35. The method of claim 34, wherein said voicecommunication network comprises a cellular wireless communicationnetwork.
 36. The method of claim 34, wherein said at least one networkelement is a network element of said service network utilized inproviding communication of subscriber information in a transactionassociated with said transaction information.
 37. The method of claim36, wherein said at least one network element is a network switch. 38.The method of claim 36, wherein said at least one network element is amobile switching center.
 39. The method of claim 34, wherein saidtransaction information accepting step is performed in close temporalproximity to said data generation.
 40. The method of claim 39, whereinsaid close temporal proximity is substantially immediately aftercompletion of said transaction.
 41. The method of claim 34, wherein saidtransaction information includes information with respect to a callingparty, information with respect to a called party, and information withrespect to a length of a call.
 42. The method of claim 34, wherein saidgenerated data is substantially unprocessed when accepted at said frauddetection system.
 43. The method of claim 42, wherein said substantiallyunprocessed generated data accepted at said fraud detection system isaccompanied by substantially processed data, wherein said substantiallyprocessed data is culled by said fraud detection system.
 44. The methodof claim 42, wherein said substantially processed data includes adetermination of service value by a system external to said frauddetection system.
 45. The method of claim 44, wherein said systemexternal to said fraud detection system is a billing system of saidservice network.
 46. The method of claim 27, further comprising:determining a fraud detection subscriber account balance using saidservice value determined by said fraud detection system.
 47. The methodof claim 46, further comprising: periodically synchronizing said frauddetection subscriber account balance and said subscriber prepaidbalance.
 48. The method of claim 47, wherein said synchronizing isaccomplished after a determination that an unacceptable fraud conditiondoes not exist in said fraud condition determining step.
 49. The methodof claim 47, wherein said synchronizing is accomplished after apredetermined amount of credit value has been deducted from saidsubscriber prepaid balance.
 50. The method of claim 47, wherein saidsynchronizing is accomplished after a predetermined amount of creditvalue has been added to said subscriber prepaid balance.
 51. The methodof claim 46, wherein said step of determining a fraud conditioncomprises: comparing said fraud detection subscriber account balance toa predetermined threshold value.
 52. The method of claim 51, furthercomprising: determining said predetermined threshold value as a functionof an acceptable difference between said subscriber prepaid balance asdetermined by said prepaid system and said fraud detection subscriberaccount balance as determined by said fraud detection system.
 53. Themethod of claim 52, wherein said acceptable difference is associatedwith a difference in techniques to achieve said subscriber prepaidbalance and said fraud detection subscriber account balance.
 54. Themethod of claim 51, wherein said predetermined threshold value isnegative.
 55. The method of claim 51, further comprising: selecting saidpredetermined threshold value as a function of a particular environmentin which said fraud detection system is deployed.
 56. The method ofclaim 51, further comprising: selecting said predetermined thresholdvalue as a function of a particular prepaid system for which frauddetection is provided.
 57. The method of claim 51, further comprising:selecting said predetermined threshold value as a function of aparticular subscriber.
 58. The method of claim 51, further comprising:selecting said predetermined threshold value as a function of aparticular category of subscriber.
 59. The method of claim 51, furthercomprising: selecting said predetermined threshold value as a functionof a particular category of subscriber equipment.
 60. The method ofclaim 27, further comprising: selecting a first threshold value; andselecting a second threshold value, wherein said first and secondthreshold values are utilized in determining a first and second fraudcondition in said fraud condition determining step.
 61. The method ofclaim 60, further comprising: transmitting a signal for said associatedsubscriber account to said prepaid system when said first thresholdvalue is exceeded; and transmitting an account suspension signal forsaid associated subscriber account to said service network when saidsecond threshold value is exceeded.
 62. A method for detectingfraudulent use of a telephone network, said method comprising:interfacing a prepaid calling system with said telephone network,wherein said prepaid calling system interacts with subscribers toprovide credits to an associated subscriber prepaid account and saidprepaid calling system interacts with said telephone network to debitsubscriber prepaid accounts corresponding to subscriber use of saidtelephone network to thereby determine subscriber prepaid accountbalances; selecting a fraud threshold value for use by a call datarecord server; interfacing said call data record server to said prepaidcalling system; interfacing said call data record server to saidtelephone network; accepting prepaid account credit information fromsaid prepaid calling system at said call data record server, whereinsaid prepaid account information is accepted by said call data recordserver substantially at the completion of interaction between saidprepaid calling system and said subscriber; accepting subscriber callinformation from said telephone network at said call data record server,wherein said subscriber call information is accepted by said call datarecord server substantially at the completion of an associated call;determining a value of a subscriber call using said accepted subscribercall information; determining a call data server subscriber accountbalance using said determined subscriber call value and said acceptedprepaid account credit information; comparing said determined call dataserver subscriber account balance to said threshold value; anddetermining if an unacceptable level of fraud is associated with aparticular subscriber prepaid account as a function of said comparison.63. The method of claim 62, wherein said prepaid calling system stores asecure prepaid credit value on subscriber equipment.
 64. The method ofclaim 62, wherein said threshold value is selected as a function of aparticular type of subscriber equipment.
 65. The method of claim 62,wherein said threshold value is selected as a function of a particularsubscriber.
 66. The method of claim 62, wherein said threshold value isselected as a function of a particular type of subscriber.
 67. Themethod of claim 62, wherein said accepted prepaid account informationcomprises information with respect to subscriber account value refill byan associated subscriber.
 68. The method of claim 67, wherein saidaccepted prepaid account information further comprises call ratinginformation, wherein said call rating information is utilized by saidcall data server subscriber account balance determining step.
 69. Themethod of claim 62, further comprises: at least one network element ofsaid telephone network generating data of said subscriber callinformation, wherein said at least one network element is utilized bysaid telephone network in providing a call associated with saidgenerated data.
 70. The method of claim 69, wherein said generated datais substantially unprocessed when accepted at said call data server.